disinto-admin/disinto
1
0
Fork 0
Code Issues 20 Pull requests 1 Projects Releases Packages Wiki Activity Actions
disinto/nomad/vault.hcl
Claude 57bc88b9a7
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
fix: [nomad-step-0] S0.3 — install vault + systemd auto-unseal + vault-init.sh (dev-persisted seal) (#823) 
Adds the Vault half of the factory-dev-box bringup, landed but not started
(per the install-but-don't-start pattern used for nomad in #822):

- lib/init/nomad/install.sh — now also installs vault from the shared
  HashiCorp apt repo. VAULT_VERSION pinned (1.18.5). Fast-path skips apt
  entirely when both binaries are at their pins; partial upgrades only
  touch the package that drifted.

- nomad/vault.hcl — single-node config: file storage backend at
  /var/lib/vault/data, localhost listener on :8200, ui on, mlock kept on.
  No TLS / HA / audit yet; those land in later steps.

- lib/init/nomad/systemd-vault.sh — writes /etc/systemd/system/vault.service
  (Type=notify, ExecStartPost auto-unseals from /etc/vault.d/unseal.key,
  CAP_IPC_LOCK granted for mlock), deploys nomad/vault.hcl to
  /etc/vault.d/, creates /var/lib/vault/data (0700 root), enables the
  unit without starting it. Idempotent via content-compare.

- lib/init/nomad/vault-init.sh — first-run init: spawns a temporary
  `vault server` if not already reachable, runs operator-init with
  key-shares=1/threshold=1, persists unseal.key + root.token (0400 root),
  unseals once in-process, shuts down the temp server. Re-run detects
  initialized + unseal.key present → no-op. Initialized but key missing
  is a hard failure (can't recover).

lib/hvault.sh already defaults VAULT_TOKEN to /etc/vault.d/root.token
when the env var is absent, so no change needed there.

Seal model: the single unseal key lives on disk; seal-key theft equals
vault theft. Factory-dev-box-acceptable tradeoff — avoids running a
second Vault to auto-unseal the first.

Blocks S0.4 (#824).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 06:36:17 +00:00

41 lines
1.7 KiB
HCL
Raw Blame History

# =============================================================================
# nomad/vault.hcl — Single-node Vault configuration (dev-persisted seal)
#
# Part of the Nomad+Vault migration (S0.3, issue #823). Deployed to
# /etc/vault.d/vault.hcl on the factory dev box.
#
# Seal model: the single unseal key lives on disk at /etc/vault.d/unseal.key
# (0400 root) and is read by systemd ExecStartPost on every boot. This is
# the factory-dev-box-acceptable tradeoff — seal-key theft equals vault
# theft, but we avoid running a second Vault to auto-unseal the first.
#
# This is a factory dev-box baseline — TLS, HA, Raft storage, and audit
# devices are deliberately absent. Storage is the `file` backend (single
# node only). Listener is localhost-only, so no external TLS is needed.
# =============================================================================
# File storage backend — single-node only, no HA, no raft. State lives in
# /var/lib/vault/data which is created (root:root 0700) by
# lib/init/nomad/systemd-vault.sh before the unit starts.
storage "file" {
path = "/var/lib/vault/data"
}
# Localhost-only listener. TLS is disabled because all callers are on the
# same box — flipping this to tls_disable=false is an audit-worthy change
# paired with cert provisioning.
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = true
}
# mlock prevents Vault's in-memory secrets from being swapped to disk. We
# keep it enabled; the systemd unit grants CAP_IPC_LOCK so mlock() succeeds.
disable_mlock = false
# Advertised API address — used by Vault clients on this host. Matches
# the listener above.
api_addr = "http://127.0.0.1:8200"
# UI on by default — same bind as listener, no TLS (localhost only).
ui = true
Reference in a new issue View git blame Copy permalink